c8630c934816d7f58123180e7140a74a8e73fb028f51a05a8c4d1688c26525a3

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Size

1.6MB
MD5

ad33917223ebfc382731a6bd5be2e58f
SHA1

8cdc9383df1a037deca295a346e6446904c102ea
SHA256

c8630c934816d7f58123180e7140a74a8e73fb028f51a05a8c4d1688c26525a3
SHA512

4095e87822d5f364c2c0f3c075d158355ca48e64a82f0fbae2d87c992b6e0e3327078819228c5b95f257a19f6752f706be6aa2a61dca5e307873c946992d999f
SSDEEP

24576:kbe7rdceZZgC4Lr6mBwW+I5YLBv/i3zP4MA365nXSJgtY3AakCYYs4Oe4T0CE:tZgL6m1EBy3cMPbWQprYsZy

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000018708-150.dat	acprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe

Executes dropped EXE 10 IoCs

pid	Process
1164	reg64.exe
2012	reg64.exe
1320	reg64.exe
2244	reg64.exe
1564	reg64.exe
1048	reg64.exe
1632	reg64.exe
1356	msgbox.exe
1908	msgbox.exe
2412	autorun.exe

Loads dropped DLL 21 IoCs

pid	Process
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
3028	cmd.exe
2412	autorun.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2292-0-0x0000000000400000-0x0000000000851000-memory.dmp	upx
behavioral1/memory/2800-1-0x0000000000400000-0x0000000000851000-memory.dmp	upx
behavioral1/memory/2800-9-0x0000000000400000-0x0000000000851000-memory.dmp	upx
behavioral1/memory/2800-12-0x0000000000400000-0x0000000000851000-memory.dmp	upx
behavioral1/memory/2800-14-0x0000000000400000-0x0000000000851000-memory.dmp	upx
behavioral1/memory/2800-11-0x0000000000400000-0x0000000000851000-memory.dmp	upx
behavioral1/memory/2800-10-0x0000000000400000-0x0000000000851000-memory.dmp	upx
behavioral1/memory/2292-116-0x0000000000400000-0x0000000000851000-memory.dmp	upx
behavioral1/memory/2800-137-0x0000000000400000-0x0000000000851000-memory.dmp	upx
behavioral1/files/0x0005000000018708-150.dat	upx
behavioral1/memory/2412-152-0x0000000010000000-0x000000001007E000-memory.dmp	upx
behavioral1/memory/2412-162-0x0000000010000000-0x000000001007E000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2264	sc.exe
2068	sc.exe
1664	sc.exe
1260	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msgbox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	makecab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xcopy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\Version\ = "9.4"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\Implemented Categories	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32\RuntimeVersion = "v2.0.50727"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\Version	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\Control	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocHandler32	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\MiscStatus\1	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocHandler32\ = "ole32.dll"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook._DocSiteControlClass"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\Typelib	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32\14.0.0.0	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook._DocSiteControlClass"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ProgId\ = "DOCSITE.DocSiteControl.1"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ = "Microsoft Outlook Body Control"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ToolboxBitmap32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE, 5518"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\LocalServer32	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\MiscStatus\ = "0"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ToolboxBitmap32	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ProgId	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\Typelib\ = "{00062FFF-0000-0000-C000-000000000046}"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\MiscStatus	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\MiscStatus\1\ = "131200"	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2800	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2800	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Token: 33	2800	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2800	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2800	2292	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2800	2292	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2800	2292	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2800	2292	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2800	2292	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe	30
PID 2292 wrote to memory of 2800	2292	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe	30
PID 2800 wrote to memory of 3028	2800	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe	31
PID 2800 wrote to memory of 3028	2800	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe	31
PID 2800 wrote to memory of 3028	2800	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe	31
PID 2800 wrote to memory of 3028	2800	ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe	31
PID 3028 wrote to memory of 480	3028	cmd.exe	33
PID 3028 wrote to memory of 480	3028	cmd.exe	33
PID 3028 wrote to memory of 480	3028	cmd.exe	33
PID 3028 wrote to memory of 480	3028	cmd.exe	33
PID 3028 wrote to memory of 2284	3028	cmd.exe	34
PID 3028 wrote to memory of 2284	3028	cmd.exe	34
PID 3028 wrote to memory of 2284	3028	cmd.exe	34
PID 3028 wrote to memory of 2284	3028	cmd.exe	34
PID 3028 wrote to memory of 1656	3028	cmd.exe	35
PID 3028 wrote to memory of 1656	3028	cmd.exe	35
PID 3028 wrote to memory of 1656	3028	cmd.exe	35
PID 3028 wrote to memory of 1656	3028	cmd.exe	35
PID 3028 wrote to memory of 1164	3028	cmd.exe	36
PID 3028 wrote to memory of 1164	3028	cmd.exe	36
PID 3028 wrote to memory of 1164	3028	cmd.exe	36
PID 3028 wrote to memory of 1164	3028	cmd.exe	36
PID 3028 wrote to memory of 1804	3028	cmd.exe	37
PID 3028 wrote to memory of 1804	3028	cmd.exe	37
PID 3028 wrote to memory of 1804	3028	cmd.exe	37
PID 3028 wrote to memory of 1804	3028	cmd.exe	37
PID 3028 wrote to memory of 1732	3028	cmd.exe	38
PID 3028 wrote to memory of 1732	3028	cmd.exe	38
PID 3028 wrote to memory of 1732	3028	cmd.exe	38
PID 3028 wrote to memory of 1732	3028	cmd.exe	38
PID 3028 wrote to memory of 2356	3028	cmd.exe	39
PID 3028 wrote to memory of 2356	3028	cmd.exe	39
PID 3028 wrote to memory of 2356	3028	cmd.exe	39
PID 3028 wrote to memory of 2356	3028	cmd.exe	39
PID 3028 wrote to memory of 1664	3028	cmd.exe	42
PID 3028 wrote to memory of 1664	3028	cmd.exe	42
PID 3028 wrote to memory of 1664	3028	cmd.exe	42
PID 3028 wrote to memory of 1664	3028	cmd.exe	42
PID 3028 wrote to memory of 2200	3028	cmd.exe	43
PID 3028 wrote to memory of 2200	3028	cmd.exe	43
PID 3028 wrote to memory of 2200	3028	cmd.exe	43
PID 3028 wrote to memory of 2200	3028	cmd.exe	43
PID 3028 wrote to memory of 1260	3028	cmd.exe	44
PID 3028 wrote to memory of 1260	3028	cmd.exe	44
PID 3028 wrote to memory of 1260	3028	cmd.exe	44
PID 3028 wrote to memory of 1260	3028	cmd.exe	44
PID 3028 wrote to memory of 2032	3028	cmd.exe	45
PID 3028 wrote to memory of 2032	3028	cmd.exe	45
PID 3028 wrote to memory of 2032	3028	cmd.exe	45
PID 3028 wrote to memory of 2032	3028	cmd.exe	45
PID 3028 wrote to memory of 2012	3028	cmd.exe	46
PID 3028 wrote to memory of 2012	3028	cmd.exe	46
PID 3028 wrote to memory of 2012	3028	cmd.exe	46
PID 3028 wrote to memory of 2012	3028	cmd.exe	46
PID 3028 wrote to memory of 2264	3028	cmd.exe	47
PID 3028 wrote to memory of 2264	3028	cmd.exe	47
PID 3028 wrote to memory of 2264	3028	cmd.exe	47
PID 3028 wrote to memory of 2264	3028	cmd.exe	47
PID 3028 wrote to memory of 2952	3028	cmd.exe	48
PID 3028 wrote to memory of 2952	3028	cmd.exe	48

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
480	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ad33917223ebfc382731a6bd5be2e58f_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\563B.tmp\run.cmd" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s /s
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:480
  - - C:\Windows\SysWOW64\makecab.exe
      makecab /d RptFileName="C:\Users\Admin\AppData\Local\Temp\~.rpt" /d InfFileName="C:\Users\Admin\AppData\Local\Temp\~.inf" -f "C:\Users\Admin\AppData\Local\Temp\~.ddf"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c type "C:\Users\Admin\AppData\Local\Temp\~.rpt"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\563B.tmp\reg64.exe
      reg64 QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion
      4⤵
      Executes dropped EXE
      PID:1164
  - - C:\Windows\SysWOW64\find.exe
      find /i "6.1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1804
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo vl.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
  - - C:\Windows\SysWOW64\find.exe
      find /i "NOVOLUME"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2356
  - - C:\Windows\SysWOW64\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1664
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i 1060
      4⤵
      System Location Discovery: System Language Discovery
      PID:2200
  - - C:\Windows\SysWOW64\sc.exe
      sc query KMService
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1260
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i 1060
      4⤵
      System Location Discovery: System Language Discovery
      PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\563B.tmp\reg64.exe
      reg64 QUERY "HKLM\SOFTWARE\Microsoft\Office\14.0"
      4⤵
      Executes dropped EXE
      PID:2012
  - - C:\Windows\SysWOW64\sc.exe
      sc query osppsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2264
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /i 1060
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
  - - C:\Windows\SysWOW64\sc.exe
      sc start osppsvc
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2068
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo ospp.vbs /dstatus
      4⤵
      System Location Discovery: System Language Discovery
      PID:3048
  - - C:\Windows\SysWOW64\find.exe
      find /i "VOLUME_KMSCLIENT"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2472
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo ospp.vbs /dstatus
      4⤵
      System Location Discovery: System Language Discovery
      PID:1488
  - - C:\Windows\SysWOW64\find.exe
      find /i "No installed product keys detected"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\563B.tmp\reg64.exe
      reg64 QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion
      4⤵
      Executes dropped EXE
      PID:1320
  - - C:\Windows\SysWOW64\find.exe
      find /i "5.1"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\563B.tmp\reg64.exe
      reg64 QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentVersion
      4⤵
      Executes dropped EXE
      PID:2244
  - - C:\Windows\SysWOW64\find.exe
      find /i "5.2"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\563B.tmp\reg64.exe
      reg64 QUERY "HKLM\SOFTWARE\Microsoft\Windows" /v "AdminTest"
      4⤵
      Executes dropped EXE
      PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\563B.tmp\reg64.exe
      reg64 ADD "HKLM\SOFTWARE\Microsoft\Windows" /v "AdminTest" /t REG_SZ /d "" /f
      4⤵
      Executes dropped EXE
      PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\563B.tmp\reg64.exe
      reg64 DELETE "HKLM\SOFTWARE\Microsoft\Windows" /v "AdminTest" /f
      4⤵
      Executes dropped EXE
      PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\563B.tmp\msgbox.exe
      msgbox ~Please disable Firewall and Anti-Virus software for correct activator work. Otherwise successful activation is not guaranteed.``Did you run the program as Administrator?~Activation Tool~52
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\563B.tmp\msgbox.exe
      msgbox ~`The activator is based on ZWT KMS emulator.`KMS emulator is installed as Windows Service, not too much memory`used, around 2 Mb of RAM. Code generated by KMS emulator is not`always valid, that is why sometimes activation may fail. In this case` just repeat activation request. This is KMS emulator problem, but not`the the activator fault.``Activator works on 32 and 64 edition of Office 2010`and Windows 6.0 or newer.````What's New in version 1.055?`` -Fixed activation 64 edition Windows 6.0 or newer.` -Windows 7 SP1 Beta activation support.` -Added button Activate ALL VL (same as switch /all).` -Optimized detect Office 2010 products on 64 edition of Windows.` -Office 2010: Setting of counter of rearms (counter is working` for the rearms made with activator only).` -Install/Uninstall KMS emulator as Windows service without` Command window.` -KMS emulator installation process is modified.` -Fixed conflict with firewall for the occasional running of KMS`emulator.` -Copy function of the KMS emulator file path which is useful to add`exceptions to the anti-virus programs.` -Internal errors reporting (eg: if activator components are` blocked by antivirus software).` -Improved checking whether activator is running on behalf of` Administrator.` -Activator code optimization.`~Activation Tool info~0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1908
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy /h /y 1.055.tmp C:\Users\Admin\AppData\Local\Temp
      4⤵
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:920
  - - C:\Users\Admin\AppData\Local\Temp\563B.tmp\autorun.exe
      autorun.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\563B.tmp\1.055.tmp

Filesize
1KB

MD5
b7bc5e07841cd671f677b1900c3cc0da

SHA1
0d8afbc9e257cd1adcd02df94a5b4ae19f6a8d24

SHA256
f1ba4a343100f80cf9654201443ce98ff582bba41a4307843d721a191d02c9e3

SHA512
2f48d97fb627d32a0520c8bd56fe8006b861d299624c4c76c351d07e5164eabeb1b7636e94572c811deaab77422db7936c9c7a0e448dc0d729bb03148d5843de

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\KMService.exe

Filesize
148KB

MD5
bca43e19e7013331d99ff788ea6b42a0

SHA1
01c7d28e8828a91c27ffe0f1155cfa835fa6d703

SHA256
b075602cf6bcb3284c44a640daffa49cc5aa8f469a20e4b242f2dde85fcb4dbe

SHA512
8377279d3ffc9e1cdd0098c1a0b1117c9c9f21247a07620c7a0e3289853307b98c03d5b880e5f1b9c804afdf236426712d527524f334ae9021fb4544a79a4e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\autorun.apm

Filesize
271KB

MD5
bc10762a75fa0dd9cb76150717ab07cd

SHA1
74afe5f60373d002a793fca5a4c6ce861bd6d0fa

SHA256
3ded5196710d6a0a809a990aca83c0a89a6172da8cd21dca8703058cc73f2598

SHA512
5379e1bab8150d2ba2b71e23ec7b639d505927c10a22216614960971283b1450a5cb70ab1cdabdc47642b5d12fdd47a7ef2a9f4d10a7107730cb9bb16a3bb0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\autorun.exe

Filesize
1.4MB

MD5
9f5db165601843001dd313c6c2840db9

SHA1
3289567355012833e9c47357abc9e65108906ed1

SHA256
17fe65695d275a85977b697fa98ce77a07c006e7744240eb7bbf365ce0bf9074

SHA512
e87908bfcd8d35399d4604d9ce03823d79a6a63510ca8a1fbfdc001c095bd79fc715b438435faa0081f0a445aaf68171ebe0ece09e1998ac46704f3a2cdf6add

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\choice.exe

Filesize
36KB

MD5
a704d22d57b62553e27ad261276b0625

SHA1
4750f086f1baef7d179a81d6b99470eae21cc4da

SHA256
5632b9495ed595712eb7dfad4e6d166a70b68fd3af2f7d72beff57af2385f7e6

SHA512
3bcc5a1f723801dbb4fbe11388f665a237199d43debadd55371c3b75fa05c73a027f2a233d8fc113df40d45375bb117f9348702842687d937e9ca15526c7e512

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\clip.exe

Filesize
2KB

MD5
fa1ad005af8c43205bd1979d3438b76f

SHA1
d820b206aa79723657a08150005f3bf30f72c3f6

SHA256
f09acac6f9aa9918a17796ac24755c220422aefeabcb38720ecb2af93f9cc2fe

SHA512
00430514a87262242020548de7a9a92ac5fe5ca5c7fd3e88feb2c93948fb56dff207c6ed45d78cbf8d80ae1b2ae576905c5ca3a5d04f40fe06c882d597371d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\help.txt

Filesize
17KB

MD5
8a002c8f423e15ae84c45a8dafac6804

SHA1
a0b60db68be42254196e4b165711ed62c3711e9b

SHA256
ae422eda84127d24c3360f82c9980349425b34285621f2a0ab01dbaeaa3fcfab

SHA512
8f5511a1fe27440545a92ee2594d78bb77627d6e08fe1f19257f251979a26d1879eb0b73e1ada51a451c5d27520692a5a3f8c53057b2965c8ce98532e10bf096

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\hidcon.exe

Filesize
2KB

MD5
b2dadab18c318443301d0087cd7200ba

SHA1
c0adf61a17a3698548bee1ef225ad824ab901e0d

SHA256
b88a4d442bcd94457fc75dc5a541dc3437fd01091a2b6500569c699260e65238

SHA512
4bae11cde7936c9ef0549074f2e03307f3cf13f4a824744c68e7fb46c656bb136ebf590675ab43f5cb7b247483ad5bb939be30e8b3a3c4fbf70c9884af7988ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\msgbox.exe

Filesize
29KB

MD5
9637af2c525341bf7ab757a9d9427d8f

SHA1
fa1206f99ecc76c3bf13569cb0179dc383410b7c

SHA256
952d1623f59b8bdf804400f448667edd301eca9d6378aa8bdba0edbb8737b981

SHA512
f301a841a2e31162b98c939d98849dbc9553597bb4a3d467b4ef0dd46382bf7a3680003145f953b28c7541d25584312ae7a8c22cedf5fa534ac63ca8135b4144

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\ospp.vbs

Filesize
48KB

MD5
330dd574da8d5f6e8cc647f3df847a0b

SHA1
cfb7602de1cb2444d2643c5afa6e11afedb75503

SHA256
444200024bda274f5d7d1e347923233076254e2e54fcd270faa0113794188227

SHA512
e0ad4cd7bc33e766f0f28d15e2ea1287337800786137a33f0c7b2339a6ff0450d9cd5577868d4d7212a8fd662cb06663563d961ccff8da9d131ac91ce51b32cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\osppc.dll

Filesize
124KB

MD5
1d9c3d7a1f8838e6280fa3f7d1fe4ed8

SHA1
d02a61c9a27c4d619f09dc22cb921e52aca56822

SHA256
0bd922965118d54d1027cdb628fa0dfb7ad1d6df0910c80db3f140c9255101d8

SHA512
b897410cd57fc4de6d2168b5aeafc528814526358245c7d96cbd1dead4fb4950e664bdc38b9628efe98ab0b35c74dc460c90a0bb4293dfd170a2aca41140245e

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\ospprearm.exe

Filesize
13KB

MD5
7ffae006610a85317fbb092a2d65d1a9

SHA1
f61f245695232ada51d81671e9918d54d9f35575

SHA256
f10acd6e32bc4d7cc74feb9e84fec18a77aeb2838ebf2aa7e3280ba1c7f3fca2

SHA512
fa163a348c7e557d12b24f212eede900dee416f54557cc6cc1a18c6cf2d4d19e049e4e03000abaada320c80dbabba4a4eb028ace629442ecea8dab0add9ccc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\reg.exe

Filesize
76KB

MD5
648b897a1b446c82008bfb9add6caabb

SHA1
4c989e077255fe122448d09e776231ff0dc566f9

SHA256
1048b77507ff4ecf9765289524ce00e759491c3cf87df63850708150eb5b005e

SHA512
d8cd10223f390b56abe3e2ddd6551dd8610a8d0b22765eb05499ec0008562b0494fd18d016e7155d744518d48902ccfbbed004acb2280ee9ea12264b8df36868

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\reg64.exe

Filesize
120KB

MD5
cafb9dc298410ccb0d43f2838a051f3f

SHA1
fea6b21b48f80c851872c08b56aaae821a82faac

SHA256
0ed6bb6d7f86f5019e18032258dde456d54fa7ad6e65ac027e8e9e34e15d421d

SHA512
fa8926bf3e777473a66ec52564fec8dbcfc82b145ff1bfb4b76afcb01a6c3762d68f7f5b5cad54ff7e497334e364a2781d559268c02d29f8578e7b3497014904

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\run.cmd

Filesize
8KB

MD5
c4e5d1ca21af481a8a101814b63cc990

SHA1
0511ec324395c75823267b6dce9338b57d2b9097

SHA256
71a6fb88452a90cadb634e8eb3dab17b47afa3875a6edcd72f57c6966e2dcf99

SHA512
14b61c8bd2c7bd31c2e52f4ca7d39dd0551dc96465d3966c165796566cf9efbda8c7c5286172e093f3612dec84465f5d58976ed2465d36b1cedf55bbdeabc5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\scripts.exe

Filesize
150KB

MD5
dd99745b4e28fb192afe075ea3dcd611

SHA1
71513cb08c7083cc095adec14abafe34e9f19ffa

SHA256
bb8b16121972d60797cf2a3b85216c9854d5a2a73fd419e9bc68e7a046dcbf14

SHA512
14295140a486c6e9367e3c2c0806c2b7f7e62b9786609e7ecf8e3a08e6b01039a7d9e2e666879972a2101f4ada4836984c5291e715a4765c786f57b2efc371ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\service.inf

Filesize
1018B

MD5
55c9f66a9dff6cd61ffd16802af3d64a

SHA1
2fdc6a597b04d9b054d586a3cf231d20201cebf1

SHA256
b408e0e382fea634c55de095e9a867adc589f2e607b7458ac865e0ed5f05a0d2

SHA512
96e4b1016ba2f482285c1ed6cb71d99e9d5227150d370e1ef1e63f17bd8a45ff53d9805a27ff3d875d1591b702bfe833a88e459abd23687a372476d6df3f4682

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\slerror.xml

Filesize
32KB

MD5
27d95db14d6618daea9d48f317789061

SHA1
1b6a1de1d07b4a11e797f360e8982bf90e614ff7

SHA256
8568ca459591d62a6fe33da7e0f42c16002a7251d0187e49f2fde36e23b6f570

SHA512
f9099287dd5c70d7a298e8c4af36480cfe4e8e4c5cff8bc01058eb7560253336719679893542c56434b7754e369f1d4ef7f0edb4ad401dd9e83f743c63c564bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\srvany.exe

Filesize
8KB

MD5
4635935fc972c582632bf45c26bfcb0e

SHA1
7c5329229042535fe56e74f1f246c6da8cea3be8

SHA256
abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

SHA512
167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

Download Submit
C:\Users\Admin\AppData\Local\Temp\563B.tmp\vl.vbs

Filesize
3KB

MD5
00bc255f8db19d329f11b0c54cc3de72

SHA1
bc476bf18b996366d246734706205e21a85a230c

SHA256
c42810ea0516f9550da2868875809aa1ad1131be6e8c94ccfcdf380a9067ef2c

SHA512
cee56ec35dce538511b0cda2b94e0d646e002f4bbfbeb48b07f0ce608b98911bb0d547e7f8f226a5a806cf8c5c8a464fad2361e81ad5613abee0d00e305604ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\~.ddf

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~.rpt

Filesize
283B

MD5
d824bd3a1fc2cd2c31be788d66532846

SHA1
c609b1f6b1015dd2accc66c6aa7faaa6cf314b6d

SHA256
f172125c92aeb7611a23e705d48f630f692860397fb1a511bf049ff8d8aacf47

SHA512
438f802feec264763c2d0ad4d2cb38d4cbe6d02b2a704f09bad842e488d86ed515d8a414553396c449daa458a9c1419df53e40e130806d969af023dbc7adfeb3

Download Submit
\Users\Admin\AppData\Local\Temp\apm8749.tmp

Filesize
146KB

MD5
3d4839228c7ee77e28832879eeb17340

SHA1
ebe4a6388c8c6831837e232b48b8f4266b7f711e

SHA256
5d6ff8a11cda6d5b1e6d8a5562594379a082cee18f402a8a0a26b8cabe428954

SHA512
f3c534524eaa4b51ee44a6c1d05a142c0d10d9c1c48db79b60903dd948d5712b367479b82cd85fa8ee094dcd2569c0fd85a36c10c97deab59e49e1f1f4da6c56

Download Submit
memory/2292-0-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/2292-141-0x0000000002940000-0x0000000002D91000-memory.dmp

Filesize
4.3MB

Download
memory/2292-116-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/2292-2-0x0000000002940000-0x0000000002D91000-memory.dmp

Filesize
4.3MB

Download
memory/2412-160-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/2412-162-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/2412-152-0x0000000010000000-0x000000001007E000-memory.dmp

Filesize
504KB

Download
memory/2800-3-0x00000000006F1000-0x00000000006F2000-memory.dmp

Filesize
4KB

Download
memory/2800-10-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/2800-1-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/2800-106-0x0000000000270000-0x00000000002D4000-memory.dmp

Filesize
400KB

Download
memory/2800-4-0x0000000000270000-0x00000000002D4000-memory.dmp

Filesize
400KB

Download
memory/2800-137-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/2800-9-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/2800-11-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/2800-13-0x0000000000270000-0x00000000002D4000-memory.dmp

Filesize
400KB

Download
memory/2800-12-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/2800-14-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads